Memory addresses
I am workin on Overthewire narnia2(ctf game).
Currently I am learning how to use the gdb and I have a simple question.
(gdb) x/200x $esp-0xac
0xffffd5a4: 0x08048534 0xffffd5c8 0xf7e5b7d0 0xffffd5c8
0xffffd5b4: 0xf7ffd920 0xf7e5b7d5 0x08048494 0x08048534
0xffffd5c4: 0xffffd5c8 0x6850c031 0x68732f2f 0x69622f68
0xffffd5d4: 0x50e3896e 0x89e18953 0xcd0bb0c2 0x41414180
0xffffd5e4: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd5f4: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd604: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd614: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd624: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd634: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd644: 0x41414141 0x62626262 0xf7e2a200 0x00000002
0xffffd654: 0xffffd6e4 0xffffd6f0 0x00000000 0x00000000
0xffffd664: 0x00000000 0xf7fc5000 0xf7ffdc0c 0xf7ffd000
0xffffd674: 0x00000000 0x00000002 0xf7fc5000 0x00000000
0xffffd684: 0x59e07c0a 0x6308501a 0x00000000 0x00000000
(gdb) x/200x $esp
0xffffd7a0: 0x000036b2 0x0000000e 0x000036b2 0x00000017
0xffffd7b0: 0x00000001 0x00000019 0xffffd7eb 0x0000001a
0xffffd7c0: 0x00000000 0x0000001f 0xffffdfe8 0x0000000f
0xffffd7d0: 0xffffd7fb 0x00000000 0x00000000 0x00000000
0xffffd7e0: 0x00000000 0x00000000 0x8b000000 0xb1cfbc04
0xffffd7f0: 0x91563e77 0xcb1ff506 0x6957e20c 0x00363836
0xffffd800: 0x00000000 0x00000000 0x00000000 0x72616e2f
0xffffd810: 0x2f61696e 0x6e72616e 0x00326169 0x41414141
0xffffd820: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd830: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd840: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd850: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd860: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd870: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd880: 0x41414141 0x31414141 0x2f6850c0 0x6868732f
0xffffd890: 0x6e69622f 0x5350e389 0xc289e189 0x80cd0bb0
what am I looking at when I do $esp-0xac? I've also seen other methods like $esp-0x14, but why not do plain $esp?
what is the most used and why?
c debugging gdb buffer-overflow
add a comment |
I am workin on Overthewire narnia2(ctf game).
Currently I am learning how to use the gdb and I have a simple question.
(gdb) x/200x $esp-0xac
0xffffd5a4: 0x08048534 0xffffd5c8 0xf7e5b7d0 0xffffd5c8
0xffffd5b4: 0xf7ffd920 0xf7e5b7d5 0x08048494 0x08048534
0xffffd5c4: 0xffffd5c8 0x6850c031 0x68732f2f 0x69622f68
0xffffd5d4: 0x50e3896e 0x89e18953 0xcd0bb0c2 0x41414180
0xffffd5e4: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd5f4: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd604: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd614: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd624: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd634: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd644: 0x41414141 0x62626262 0xf7e2a200 0x00000002
0xffffd654: 0xffffd6e4 0xffffd6f0 0x00000000 0x00000000
0xffffd664: 0x00000000 0xf7fc5000 0xf7ffdc0c 0xf7ffd000
0xffffd674: 0x00000000 0x00000002 0xf7fc5000 0x00000000
0xffffd684: 0x59e07c0a 0x6308501a 0x00000000 0x00000000
(gdb) x/200x $esp
0xffffd7a0: 0x000036b2 0x0000000e 0x000036b2 0x00000017
0xffffd7b0: 0x00000001 0x00000019 0xffffd7eb 0x0000001a
0xffffd7c0: 0x00000000 0x0000001f 0xffffdfe8 0x0000000f
0xffffd7d0: 0xffffd7fb 0x00000000 0x00000000 0x00000000
0xffffd7e0: 0x00000000 0x00000000 0x8b000000 0xb1cfbc04
0xffffd7f0: 0x91563e77 0xcb1ff506 0x6957e20c 0x00363836
0xffffd800: 0x00000000 0x00000000 0x00000000 0x72616e2f
0xffffd810: 0x2f61696e 0x6e72616e 0x00326169 0x41414141
0xffffd820: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd830: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd840: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd850: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd860: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd870: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd880: 0x41414141 0x31414141 0x2f6850c0 0x6868732f
0xffffd890: 0x6e69622f 0x5350e389 0xc289e189 0x80cd0bb0
what am I looking at when I do $esp-0xac? I've also seen other methods like $esp-0x14, but why not do plain $esp?
what is the most used and why?
c debugging gdb buffer-overflow
add a comment |
I am workin on Overthewire narnia2(ctf game).
Currently I am learning how to use the gdb and I have a simple question.
(gdb) x/200x $esp-0xac
0xffffd5a4: 0x08048534 0xffffd5c8 0xf7e5b7d0 0xffffd5c8
0xffffd5b4: 0xf7ffd920 0xf7e5b7d5 0x08048494 0x08048534
0xffffd5c4: 0xffffd5c8 0x6850c031 0x68732f2f 0x69622f68
0xffffd5d4: 0x50e3896e 0x89e18953 0xcd0bb0c2 0x41414180
0xffffd5e4: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd5f4: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd604: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd614: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd624: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd634: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd644: 0x41414141 0x62626262 0xf7e2a200 0x00000002
0xffffd654: 0xffffd6e4 0xffffd6f0 0x00000000 0x00000000
0xffffd664: 0x00000000 0xf7fc5000 0xf7ffdc0c 0xf7ffd000
0xffffd674: 0x00000000 0x00000002 0xf7fc5000 0x00000000
0xffffd684: 0x59e07c0a 0x6308501a 0x00000000 0x00000000
(gdb) x/200x $esp
0xffffd7a0: 0x000036b2 0x0000000e 0x000036b2 0x00000017
0xffffd7b0: 0x00000001 0x00000019 0xffffd7eb 0x0000001a
0xffffd7c0: 0x00000000 0x0000001f 0xffffdfe8 0x0000000f
0xffffd7d0: 0xffffd7fb 0x00000000 0x00000000 0x00000000
0xffffd7e0: 0x00000000 0x00000000 0x8b000000 0xb1cfbc04
0xffffd7f0: 0x91563e77 0xcb1ff506 0x6957e20c 0x00363836
0xffffd800: 0x00000000 0x00000000 0x00000000 0x72616e2f
0xffffd810: 0x2f61696e 0x6e72616e 0x00326169 0x41414141
0xffffd820: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd830: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd840: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd850: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd860: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd870: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd880: 0x41414141 0x31414141 0x2f6850c0 0x6868732f
0xffffd890: 0x6e69622f 0x5350e389 0xc289e189 0x80cd0bb0
what am I looking at when I do $esp-0xac? I've also seen other methods like $esp-0x14, but why not do plain $esp?
what is the most used and why?
c debugging gdb buffer-overflow
I am workin on Overthewire narnia2(ctf game).
Currently I am learning how to use the gdb and I have a simple question.
(gdb) x/200x $esp-0xac
0xffffd5a4: 0x08048534 0xffffd5c8 0xf7e5b7d0 0xffffd5c8
0xffffd5b4: 0xf7ffd920 0xf7e5b7d5 0x08048494 0x08048534
0xffffd5c4: 0xffffd5c8 0x6850c031 0x68732f2f 0x69622f68
0xffffd5d4: 0x50e3896e 0x89e18953 0xcd0bb0c2 0x41414180
0xffffd5e4: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd5f4: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd604: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd614: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd624: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd634: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd644: 0x41414141 0x62626262 0xf7e2a200 0x00000002
0xffffd654: 0xffffd6e4 0xffffd6f0 0x00000000 0x00000000
0xffffd664: 0x00000000 0xf7fc5000 0xf7ffdc0c 0xf7ffd000
0xffffd674: 0x00000000 0x00000002 0xf7fc5000 0x00000000
0xffffd684: 0x59e07c0a 0x6308501a 0x00000000 0x00000000
(gdb) x/200x $esp
0xffffd7a0: 0x000036b2 0x0000000e 0x000036b2 0x00000017
0xffffd7b0: 0x00000001 0x00000019 0xffffd7eb 0x0000001a
0xffffd7c0: 0x00000000 0x0000001f 0xffffdfe8 0x0000000f
0xffffd7d0: 0xffffd7fb 0x00000000 0x00000000 0x00000000
0xffffd7e0: 0x00000000 0x00000000 0x8b000000 0xb1cfbc04
0xffffd7f0: 0x91563e77 0xcb1ff506 0x6957e20c 0x00363836
0xffffd800: 0x00000000 0x00000000 0x00000000 0x72616e2f
0xffffd810: 0x2f61696e 0x6e72616e 0x00326169 0x41414141
0xffffd820: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd830: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd840: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd850: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd860: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd870: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd880: 0x41414141 0x31414141 0x2f6850c0 0x6868732f
0xffffd890: 0x6e69622f 0x5350e389 0xc289e189 0x80cd0bb0
what am I looking at when I do $esp-0xac? I've also seen other methods like $esp-0x14, but why not do plain $esp?
what is the most used and why?
c debugging gdb buffer-overflow
c debugging gdb buffer-overflow
edited Dec 15 at 7:52
Cœur
17.4k9102143
17.4k9102143
asked Nov 23 at 0:26
Joel alexis
134
134
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
what am i looking at when i do $esp-0xac?
The $esp
register points to the boundary (in memory) between used and unused portion of the stack. On i*86
processors, stack grows to lower addresses, so anything above (at higher addresses) $esp
contains used portion of the stack (local variables, return addresses, saved registers, etc.) and anything below (at lower addresses) contains currently unused portion of the stack.
The command x/200x $esp-0xac
then examines contents of 43 32-bit words of currently used stack, and 157 words of unused portion of the stack.
ive also seen other methods like $esp-0x14, but why not do plain $esp?
The $esp-0x14
would let you look at the last 5 used words of the stack. Using $esp
would let you look at the unused portion of the stack. You could do that, but it's somewhat pointless.
what is the most used and why?
Examining stack is useful when you want to where some specific value is stored (e.g. during exploit / stack buffer overflow analysis), or when you are debugging at the machine instruction level.
Very helpful. Thank you very much for giving me this clarity.
– Joel alexis
Nov 24 at 21:45
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53439365%2fmemory-addresses%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
what am i looking at when i do $esp-0xac?
The $esp
register points to the boundary (in memory) between used and unused portion of the stack. On i*86
processors, stack grows to lower addresses, so anything above (at higher addresses) $esp
contains used portion of the stack (local variables, return addresses, saved registers, etc.) and anything below (at lower addresses) contains currently unused portion of the stack.
The command x/200x $esp-0xac
then examines contents of 43 32-bit words of currently used stack, and 157 words of unused portion of the stack.
ive also seen other methods like $esp-0x14, but why not do plain $esp?
The $esp-0x14
would let you look at the last 5 used words of the stack. Using $esp
would let you look at the unused portion of the stack. You could do that, but it's somewhat pointless.
what is the most used and why?
Examining stack is useful when you want to where some specific value is stored (e.g. during exploit / stack buffer overflow analysis), or when you are debugging at the machine instruction level.
Very helpful. Thank you very much for giving me this clarity.
– Joel alexis
Nov 24 at 21:45
add a comment |
what am i looking at when i do $esp-0xac?
The $esp
register points to the boundary (in memory) between used and unused portion of the stack. On i*86
processors, stack grows to lower addresses, so anything above (at higher addresses) $esp
contains used portion of the stack (local variables, return addresses, saved registers, etc.) and anything below (at lower addresses) contains currently unused portion of the stack.
The command x/200x $esp-0xac
then examines contents of 43 32-bit words of currently used stack, and 157 words of unused portion of the stack.
ive also seen other methods like $esp-0x14, but why not do plain $esp?
The $esp-0x14
would let you look at the last 5 used words of the stack. Using $esp
would let you look at the unused portion of the stack. You could do that, but it's somewhat pointless.
what is the most used and why?
Examining stack is useful when you want to where some specific value is stored (e.g. during exploit / stack buffer overflow analysis), or when you are debugging at the machine instruction level.
Very helpful. Thank you very much for giving me this clarity.
– Joel alexis
Nov 24 at 21:45
add a comment |
what am i looking at when i do $esp-0xac?
The $esp
register points to the boundary (in memory) between used and unused portion of the stack. On i*86
processors, stack grows to lower addresses, so anything above (at higher addresses) $esp
contains used portion of the stack (local variables, return addresses, saved registers, etc.) and anything below (at lower addresses) contains currently unused portion of the stack.
The command x/200x $esp-0xac
then examines contents of 43 32-bit words of currently used stack, and 157 words of unused portion of the stack.
ive also seen other methods like $esp-0x14, but why not do plain $esp?
The $esp-0x14
would let you look at the last 5 used words of the stack. Using $esp
would let you look at the unused portion of the stack. You could do that, but it's somewhat pointless.
what is the most used and why?
Examining stack is useful when you want to where some specific value is stored (e.g. during exploit / stack buffer overflow analysis), or when you are debugging at the machine instruction level.
what am i looking at when i do $esp-0xac?
The $esp
register points to the boundary (in memory) between used and unused portion of the stack. On i*86
processors, stack grows to lower addresses, so anything above (at higher addresses) $esp
contains used portion of the stack (local variables, return addresses, saved registers, etc.) and anything below (at lower addresses) contains currently unused portion of the stack.
The command x/200x $esp-0xac
then examines contents of 43 32-bit words of currently used stack, and 157 words of unused portion of the stack.
ive also seen other methods like $esp-0x14, but why not do plain $esp?
The $esp-0x14
would let you look at the last 5 used words of the stack. Using $esp
would let you look at the unused portion of the stack. You could do that, but it's somewhat pointless.
what is the most used and why?
Examining stack is useful when you want to where some specific value is stored (e.g. during exploit / stack buffer overflow analysis), or when you are debugging at the machine instruction level.
answered Nov 23 at 5:11
Employed Russian
123k19164233
123k19164233
Very helpful. Thank you very much for giving me this clarity.
– Joel alexis
Nov 24 at 21:45
add a comment |
Very helpful. Thank you very much for giving me this clarity.
– Joel alexis
Nov 24 at 21:45
Very helpful. Thank you very much for giving me this clarity.
– Joel alexis
Nov 24 at 21:45
Very helpful. Thank you very much for giving me this clarity.
– Joel alexis
Nov 24 at 21:45
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53439365%2fmemory-addresses%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown